lists.freeradius.org
Sign In Sign Up
Manage this list Sign In Sign Up

Keyboard Shortcuts

Thread View

  • j: Next unread message
  • k: Previous unread message
  • j a: Jump to all threads
  • j l: Jump to MailingList overview
thread

Re:

Thor Spruyt

24 Sep 2009 24 Sep '09
9:05 a.m.

Hi, I tried to get this working also and I found that if you let the ldap module *not* check the password_header, then the password incl. the header is put in the User-Password attribute. If you then use auto_header = yes for the pap module, it should figure out automatically to do crypt... unless the uppercase CRYPT is causing issues... Here's some sample debug output to check your setup: [ldap] Password header not found in password {crypt}XXXXXXXXXXX for user test [ldap] Added User-Password = {crypt}XXXXXXXXXXX in check items [ldap] looking for check items in directory... [ldap] looking for reply items in directory... [ldap] user test authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 +++[ldap] returns ok ++- group returns ok ++[pap] returns updated Found Auth-Type = PAP +- entering group PAP {...} [pap] login attempt with password "xxxx" [pap] Using CRYPT encryption. [pap] User authenticated successfully ++[pap] returns ok Regards, Thor.

...

----- Oorspronkelijk bericht ----- Van : wessam seleem [mailto:wessam.seleem@gmail.com] Verzonden : donderdag , september 24, 2009 02:16 PM Aan : tnt@kalik.net, 'FreeRadius users mailing list' Onderwerp : Re: "known good" error

Thanks Ivan for your reply. Here is the ldap configuration section:

ldap { server = "x.x.x.x" identity = "cn=username" password = password basedn = "ou=email,o=data,c=eg" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" password_header = "{CRYPT}" ldap_connections_number = 100 timeout = 15 timelimit = 10 net_timeout = 5

tls { start_tls = no }

profile_attribute = "radiusProfileDn" access_attr = "dialupAccess" dictionary_mapping = ${confdir}/ldap.attrmap password_attribute = radiususerPassword }

and here is the debug message

++[ldap] returns ok Found Auth-Type = PAP !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Replacing User-Password in config items with Cleartext-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! +- entering group PAP {...} [pap] login attempt with password "123456" [pap] Using clear text password "&^%$%$%JGjgjg(&%%^njahjahs" [pap] Passwords don't match ++[pap] returns reject Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> username attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0

Thanks for your support. Wessam

On Thu, Sep 24, 2009 at 1:37 PM, Ivan Kalik <tnt@kalik.net> wrote:

...
...

I decided to install free radius 2.1.6-2 to test it and then to upgrade my existing versions in my servers. I configured my free radius to use ldap. When I tried to authenticate from the new radius it gave me the following message "from radius -X".

Replacing User-Password in config items with Cleartext-Password. !!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

...

!!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!!

Note that when I wrote the password encrypted "like *%@&ksjd%@sdgsadgjhsb" I was able to login but when I wrote the password in clear text "like test" I failed to login.

Password in ldap probably has a header. You can ignore the message then, because server will convert User-Password to appropriate password attribute on it's own (Crypt-Password for {crypt}, SHA-Password for {sha} etc.) if auto-header is enabled. Post the whole debug.

Ivan Kalik Kalik Informatika ISP

- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

0 0
Reply
Sign in to reply online Use email software

Back to the thread

Back to the list

HyperKitty Powered by HyperKitty version 1.3.12.